cerberus | 883f8af10d924cb42eb436f64271d067eb622fd4188d87523df618f1be245327

Analysis

max time kernel
3511477s
max time network
131s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
03-01-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f1b2261f52fe964d5807d19e9fbc652.apk
Size

4.6MB
MD5

3f1b2261f52fe964d5807d19e9fbc652
SHA1

8b8e25dbd9b1bc2a91aa514ca0451f049f2e3fd0
SHA256

883f8af10d924cb42eb436f64271d067eb622fd4188d87523df618f1be245327
SHA512

d4e354b9dffc4134483e37b751c3eef4b23824fdd53d306782c34533429d95171527a2671134bd416b6f346594a63aaace1a114dfb5ceadb229615a54df880a1
SSDEEP

98304:OUaNoRUamtlk0tVWK1b/Pgz7WItf0U1yvL2wJwgfG3BUdsE+A6N/lSv:oNoRmtlk0tVWKF/PQ7JJr1yvLDJUxE+O

Score

10^/10

cerberus banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

cerberus

http://androidsystemsettings.cf

Signatures

Cerberus
An Android banker that is being rented to actors beginning in 2019.
banker trojan infostealer evasion rat cerberus

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	enough.april.patient
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	enough.april.patient

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4247	enough.april.patient

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/enough.april.patient/app_DynamicOptDex/hu.json	4247	enough.april.patient
/data/user/0/enough.april.patient/app_DynamicOptDex/hu.json	4273	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/enough.april.patient/app_DynamicOptDex/hu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/enough.april.patient/app_DynamicOptDex/oat/x86/hu.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/enough.april.patient/app_DynamicOptDex/hu.json	4247	enough.april.patient

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	enough.april.patient

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	enough.april.patient

enough.april.patient
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4247
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/enough.april.patient/app_DynamicOptDex/hu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/enough.april.patient/app_DynamicOptDex/oat/x86/hu.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4273

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/enough.april.patient/app_DynamicOptDex/hu.json

Filesize
635KB

MD5
81fe657797c970ae79257413832f2606

SHA1
504636da51ae8a10a3adaa7a751d4c59a2e6c8ad

SHA256
63a77a0502109c9b8e8dae9b971da9e532584acdcd5011555687ddc620cadfaa

SHA512
f628fcff304e8bfb783909cb2b24fee76f579080299b8d1221dbae5333f9a048f0f7f610dcccddcf3bc0c49db651e3f785b98f562b153ece8ff300c04ae4c195

Download Submit
/data/data/enough.april.patient/app_DynamicOptDex/hu.json

Filesize
635KB

MD5
b4a3d812549b5a705d337b04812dbd36

SHA1
47979547495f16ee266cd2629ead959c527fd082

SHA256
691edfa323ab3b7eb4c66690aabb20fdf2d106fecfdc82b2a01cd3083d31ae9f

SHA512
64b4c2b32fd92d834e42d4b25c5473ec4e6b3c029f48ba85b39f229f2eec4686f4a2a8b746a64eb5f7a6346aef9a0636c263c3dba7e5a804601f80263d77ea68

Download Submit
/data/data/enough.april.patient/app_DynamicOptDex/oat/hu.json.cur.prof

Filesize
901B

MD5
a1ccd4b3e8a8c9e0d63a982862b17a22

SHA1
ed617c74eea105a92cd9698a6a18ad13b3b3fe74

SHA256
1f1497b2ebaa1b5eb48035a0bd7249e61c418898013320a83c0bca42d9d101c0

SHA512
d4ccb36253f7b15b9c9969c749880fe229c2a5b5c74106dd7d3dc53a1963d61f397db2ecd845788055d008b941ef518d5d342c49365a735e176701958c1be29c

Download Submit
/data/user/0/enough.april.patient/app_DynamicOptDex/hu.json

Filesize
635KB

MD5
62e399d2d4a537b90f9fdc6ece3e9049

SHA1
2e161f552c346a2772dfb1ce0f31085c985340e9

SHA256
f941b331b00863d6323dc63930c35ca352d971730dea8ccd5642d896680e6334

SHA512
b7f8ea393c5621492a1c0b7ff952773cad087b0ea1a52e5ec074bfb5d1be2331b8e859241dcf66be1665f7a623a3fafc839464dc7308c515d5b9779da0737f87

Download Submit